Safety

Note: CRUDE INCOMPLETE and FAULTY DRAFT.

LIMITS

Normal Limits

Axes: Hour angle, declination, secondary focus

Although the software will try to prevent the axes from striking a limit, when one has been struck the motor controller will cause the motor associated with that axis to stop and the program will issue an error. To move the axis off the limit simply make a new command to put the axis is a position in the opposite direction.

The normal limits are used to determine the end of motion. The limits cause the motor to stop moving in the active direction.

Failsafe Limits

Axes: Hour angle, declination The failsafe limits lie outside of the normal limits and should not normally be struck. There will be two indications of the limit strike: 1) the panel light will be illuminated 2) the software will know the offending limit. When a limit is hit, the +HV power to the affected drive motor will be turned off preventing any motion. Finally the observatory will execute an emergency closedown (see below).

Something bad must have happened when the telescope hits the failsafe limits so expert manual intervention will be needed. To get the axis off the limit the telescope worm gears must be turned by hand to reestablish power to the drive amplifier.

Tilt Limits

Both the normal and failsafe tilt limits have all been wired in series and act as a failsafe and disable the hour angle and declination drive amplifiers. To recover requires manual intervention. This procedure is chosen because the tilt limits should never be tripped under normal operation and the determine the direction to get out of the limit may be subtle.

Pier Limits

The telescope can strike the north pier when drive far north and west. We propose to install a pull wire that actuates a limit switch be installed parallel to the West pier at a yet to be determined distance. This limit will prevent further north and west motion, but will allow south and east.

SAFETY SWITCHES

EStop

There is are two emergency stop button they are located at:

somewhere in the dome
somewhere else

Once depressed the stop will illuminate and remain engaged until twisted out.

The emergency stop button will turn off the d.c. power to the following motors:

Hour angle
Declination
Mirror cover
Secondary focus,

It will also stop and prevent:

Dome rotation
Shutter motion      Note: this is why the EStop is not weather safe.

Dome Floor Switch

When the floor is raised the dome floor switch will open and the limits to the Hour angle and Declination drive amplifiers will be disabled. There is no way to override this switch, the only way to regain telescope motion is to lower the floor.

Shutter Deadman

There is deadman timer that must be activated by software at least every 300 seconds in order to keep the dome shutter open. If this is not activated, the dome shutter will close automatically. This interval was chosen since it is similar to the shutter close time yet long enough that the software should easily be able to service it. Closing the shutter by the deadman should be avoided as it bypasses stowing the telescope and closing the mirror. It should occur if there is a software and/or computer failure.

FAULTS

Power Supply

The power supply voltage as well as status lines will be monitored.

Encoder

Many encoders have fault indicators, these will be monitored.

UPS

The UPS status will be read. If there is a low time message occurs the telescope will shut down.

Amplifier

The amplifiers have a fault reading as well as a current monitor. These will be read and interpreted.

PMAC Deadman

PMAC deadman opens when there is a failure in the PMAC. When this failure occurs it will disable the power to all the drive amplifiers.

MISCELLANEOUS

Klaxon

The warning klaxon will be sounded:

before slews that exceed xx degrees per second
dome moves
shutter opening and closing

The duration and loudness of the klaxon will be adjusted for minimal annoyance. There will also be an audio output in the control room of the encoders so you can "listen" to the motors move.

Power

There is a hand thrown circuit breaker that protects and can be used to disconnect power to the rack. It does not remove power from the interior light nor the plug strip that powers the computer. This can be used if there is a drastic failure.

There is also a solid state relay that controls the a.c. input to the power supplies. When shutting down the telescope for the night, this will be turned off by computer.

There is a solid state relay on the amplifier power supply d.c. output. This will be turned off in fault conditions by relays.

OPERATIONS

Normal Operation both for opening and staying open

In order for the telescope to operate and the shutter to stay open the following conditions must be met:

Good weather
No Faults
No failsafe or tilt limit strikes

The software will test these conditions at least once per minute and strobe the deadman switch. If any problems are found, a shutdown sequence will be executed.

Normal Closing

The normal sequence of closing the observatory is:

Stow telescope to the vertical
Close mirror
Close drop shutter
Close shutter
Turn off d.c. power supplies

Emergency Closing

In the event of a failsafe or tilt limit strike or a Fault the normal sequence of closing may not be available. The software will attempt to do a normal close, but skip any error conditions rapidly. The closing of the shutter is the most critical and will not be skipped.

Panic Closing

When the shutter deadman fires, only the shutter will close. This is not really desirable (see above).

MAINTENANCE SAFETY

It is important that anyone working in the observatory can ensure that nothing will start automatically and unexpectedly if they are working around the telescope or dome.

I don't really trust software lockouts for this purpose. Instead, I plan on the following.

The EStop button will disable the motion of almost everything. The trouble with it is that you can't move anything either. There will be maintenance paddles that will plug into the electronics and disable automatic control. These paddle should be used whenever remote or autonomous motion is unacceptable. The software will be aware that a paddle is plugged in, but it will be powerless to do remove it.

When done, the paddle is removed and replaced with a jumper to resume automatic operation.

PROCEDURES

Shutter opening

SPECULATION The shutter has two parts: the main shutter and the drop leaf.

There are four controls:

Power
Direction of motion
Move Shutter
Move dropleaf

There are five sensors:

Shutter closed
Dropleaf open
Drop leaf close
Shutter midway

The constraints are that the drop leaf must be closed before the main shutter can be closed and conversely the main shutter must be open before the drop leaf can be opened.

MDM Index